IT SECURITY SPECIALIST DRAFT I. DESCRIPTION OF WORK Positions in this banded class plan, coordinate, and implement security measures to protect information and information processing assets. They design and implement network control mechanisms to control access to computer networks; manage vulnerabilities within the information processing infrastructure; manage threats and incidents impacting information resources; assure through policy the appropriate use of information resources; and educate users on their information security and privacy responsibilities. They also implement application access controls such as password authentication that grant access to only unauthorized users. They employ the appropriate intrusion detection and prevention tools and procedures to detect and prevent against hackers, worms and other malware. They may be responsible for planning, developing, and managing the physical and environmental security required to address the threats, vulnerabilities, and counter measures required to protect information assets and the premises in which they reside. Employees are responsible for the strategic and tactical development and implementation of their IT risk management, business continuity planning and disaster recovery plans and with the collaboration of the agency’s/university’s departments in implementation of departmental plans Employees may be responsible for developing information security policies, standards, best practices and ensuring that state and federal information security requirements are implemented. II. ROLE DESCRIPTIONS BY COMPETENCY LEVEL Contributing Journey Page 1 of 8 Advanced Positions at this level scan networks and systems for their level of vulnerability to threats. They also have to be involved in identifying any emerging vulnerabilities of the system. They will produce reports for management to identify potential risks. Positions may meet with systems administrators to identify security patches available to minimize vulnerabilities and risks. Positions at this level may serve as identify management/password authentication administrators to control users access to systems. They monitor reports of computer viruses to determine when to update virus protection systems. Position communicates procedures and one-time passwords to users of the systems. This usually entails keeping up-to-date lists of users as well as helping employees who have forgotten passwords or accidentally violated security procedures. Positions may serve as disaster recovery analysts who advise on the development, documentation and maintenance of disaster recovery plans. Work on information security training and awareness campaigns. Evaluate new threats and communicate to agency or institution. Review risk assessments. Support cyber incident response. . Positions at this level may design, develop, and maintain security regulations, procedures and department wide rules for moderately complex agencies or universities. They analyze information obtained from intrusion detection and prevention systems and work with advanced security protocols and standards including recommended blocks to apply.. They will evaluate and develop approaches to security solutions. Position proactively assesses potential items of risk and opportunities of vulnerabilities in the network. They may research and help develop security practices. They analyze traffic trends and systems logs and propose security policy changes. Positions may also serve as disaster recovery analysts who establish disaster recovery programs and business continuity planning across multiple platforms. Create request for proposal (RFP) and help evaluate responses of RFP for information security projects. Review new projects, systems and applications for compliance to statewide or institution policies. Create and maintain the agency or institution’s security training and awareness effort. Create and conduct risk, system and application assessments. Create and maintain cyber security incident response plan. Page 2 of 8 Positions at this level establish security enterprise regulations and procedures based on federal and state laws and mandates. They design and manage security systems and architectures for possible enterprise-wide implementation (statewide or large complex universities/agencies) that protect federally mandated information such as tax records, health information, research data, state security records or student educational records. They design security systems for organizations with complex network systems, major databases, emerging technologies, or systems with known vulnerabilities. Positions may be responsible for establishing and maintaining an enterprise-wide information risk management program to ensure that information assets are adequately protected. They will act as an advisor to the enterprise's business units and should have an understanding of the latest security threats, trends, technologies, and regulatory requirements. Some positions at this level may serve as forensic experts to recover information from computers and data storage devices. They often work alongside law enforcement officers helping to solve cyber crimes or find electronic evidence of other kinds of crime using forensic tools and investigative methods to find specific electronic data, including Internet use history, word processing documents, images and other files. They also transfer the evidence into a format that can be used for legal purposes (i.e. criminal trials) and often testify in court themselves. Serve as cyber incident response leader. III. COMPETENCIES Competency Definition Knowledge - Technical Knowledge of computers and related information technology services and the ability to keep up with current developments and trends in areas of expertise. Technical Solution Development Ability to demonstrate a methodical and logical approach to addressing customer needs. Ability to use innovative solutions and/or designs where appropriate. Technical Support Ability to understand internal/external customer technologies and problem resolution techniques. Ability to communicate effectively with customers. Ability to listen to symptom descriptions; to analyze problems; to respond effectively and to provide constructive feedback to the client on problem resolution. Consulting/Advising Ability to provide advice and counsel. Ability to understand client programs, organization and culture. Knowledge - Professional Possession of a designated level of professional skill and/or knowledge in specific area(s) and to keep current with developments and trends in area(s) of expertise, usually acquired through postsecondary education. Note: Not all competencies apply to every position/employee; evaluate only those that apply. Competency statements are progressive. Page 3 of 8 IV. COMPETENCY STATEMENTS BY LEVEL Knowledge – Technical Knowledge of computers and related information technology services and the ability to keep up with current developments and trends in areas of expertise. Contributing Journey Knowledge in system technology security testing (vulnerability scanning and penetration testing) Proficient use of various tools and techniques, including risk, business impact, control and vulnerability assessments, used to identify business needs and determine control requirements Knowledge of network infrastructure, including routers, switches, firewalls and associated network protocols and concepts Understand the basic tenets (CIA) of security: confidentiality, integrity and availability Considerable knowledge of computer equipment and security software. Knowledge of security access control techniques Thorough understanding of the basic tenets (CIA) of security in complex environments: Confidentiality – Protecting data from unauthorized access; Integrity – Ensuring the data is as it was or should be (i.e. unchanged); and Availability – Ensuring systems, data and networks are up and redundant where needed (i.e. backups). Detailed understanding of IT controls available to enforce the CIA tenets Detailed understanding of system technology security testing (vulnerability scanning, sensitive data scanning, and penetration testing Understanding of cryptography: Understands basic principles of Public Key Infrastructure, knows the importance of protecting passwords with encryption and salt and has the ability to recognize and verify self-signed certificates. Substantial knowledge to perform information security, application security, information systems, physical security and network security assessments. Advanced Excellent technical knowledge of mainstream operating systems (for example, Microsoft Windows and AIX UNIX) and a wide range of security technologies, such as network security appliances, identity and access management systems, cryptography, antimalware solutions, automated policy compliance and desktop security tools. Substantial knowledge in developing, documenting and maintaining security policies, processes, procedures and standards. Substantial knowledge in strategic planning, implementation and maintenance of information security programs. Detailed understanding of technical issues to design architecture for new or emerging technologies. Detailed understanding of technical, substantive, and methodological issues and theories to direct technical staff. Substantial knowledge of other work specialties. Technical Solution Development Ability to demonstrate a methodical and logical approach to addressing customer needs. Ability to use innovative solutions and/or designs where appropriate. Contributing Journey Page 4 of 8 Advanced Understand the IT controls available to enforce the CIA tenets of authentication & authorization: principle of least privilege and password constructs and controls Knowledge of network/systems controls, patching and migration of vulnerabilities. logging and data backups Ability to determine and provide users access/accounts with only privileges needed to complete their assigned tasks. Ability to apply standard and nonstandard technology applications, and to explore and adapt changing technologies. Ability to apply judgment independently to technical work assignments to achieve desired outcomes. Ability to understand the available methodologies of authentication & authorization and which is appropriate in particular settings. Thorough knowledge of federated models, local systems, enterprise directory services, and Third-party API’s Extensive knowledge of the principle of least privilege and the ability to recognize and report when a user’s privilege exceeds what is needed to complete their work. Ability to design password constructs and control policies determining the complexity requirements based on regulatory laws, the change intervals times needed and recovery methodologies Ability to investigate, research and implement new technologies in security issues and new innovations. Ability to provide technical leadership on complex projects. Ability to integrate knowledge of other work specialties to achieve solutions to problems of high complexity. Ability to secure highly complex information technology systems. Ability to recommend information technology security and privacy solutions to address complex and emerging information security and privacy issuesAbility to plan, implement and maintain strategic information security program inclusive of information security policies, regulations, standards and procedures. Where patching of vulnerabilities can not be applied, must be able to develop migration control to protect IT asset. Technical Support Ability to understand internal/external customer technologies and problem resolution techniques. Ability to communicate effectively with customers. Ability to listen to symptom descriptions; to analyze problems; to respond effectively and to provide constructive feedback to the client on problem resolution. Contributing Journey Advanced Ability to recognize security incidents and report them to the appropriate security management Assist the higher level security officers with incident response by providing logs, removing the system from the network, and providing expertise on the specifics of the system. Ability to detect vulnerabilities that may have occurred as a result of misconfiguration. Ability to maintain logs for expected timeframe under state record retention rules. Ability to ensure backups of data and Ability to serve as a technical resource in solving security problems of high complexity. Ability to recognize and eliminate unneeded processes from systems that may expose the system to undue risk Understands that only the network ports needed for the system to fulfill its desired function should be open. Extensive understanding of logging systems in order to ensure systems are configured to log appropriate security events. Strong understanding of the restore process Proficiency in forensic response and reverse engineering. Insightfulness to discover the latest exploit methodologies. Ability to develop solutions that impact multiple customers/applications or are used at the enterprise level. Ability to work with network/system controls by understanding network architecture tiers and incorporate these principles into proposed system designs Able to leverage monitoring services to Page 5 of 8 systems are performed on a routine schedule. in order to test the usability of the backup including application testing using the restored data. Ability to research and develop the proper backup media and storage security protections as dictated by the type of data contained. detect potential security threats and incidents. Ability to provide information security solutions to reduce information security and privacy risks. Ability to provide security best practice recommendations as required by federal and state regulatory requirements. Consulting/Advising Ability to provide advice and counsel. Ability to understand client programs, organization and culture. Contributing Journey Advanced Ability to work with teams to prioritize security needs and to effectively get cooperation from IT professionals to get those security controls in place. Strong conflict management skills in order to work with senior management to ensure security and data protection rules and regulations are in place on protected private information (PPI). Knowledge of the security industry and regulations that have an impact on the customer's business and data protection issues and the ability to provide appropriate solution set to address the business needs. Ability to consult with senior level decisionmakers, on an on-going basis, to develop longrange strategic security alternatives. Ability to build client support of ITS objectives. Ability to work with agency and university security personnel to develop appropriate risk migration policies. Ability to consult with legal, risk management, audit, compliance and external entities on information security issues. Ability to advise security personnel and senior level management on best practices of business continuity and disaster recovery planning. Knowledge of best security practices of business continuity planning and risk management needed to consult with senior level management and IT specialists in ensuring their agency/university’s business Knowledge of the IT security market and industry and federal and state regulations that have an impact on the state's technological business. Ability to provide security expertise and consulting to committees, boards and lower level technical analyst/specialist on a regular basis. Ability to lead information security committees and provide strategic direction on major information security initiatives. Ability to provide guidance to legal, risk management, audit, compliance, and external entities on the resolution of information security issues. Provide resource assistance in the implementation of security best practices for business continuity planning, risk management and disaster planning to senior level management and IT specialists to assist agency/university’s development and maintenance of appropriate business continuity, risk management and disaster plans. Ability to design information security Page 6 of 8 continuity and disaster plans are in place. Ability to develop and deliver information security and awareness training to users. awareness training programs. Knowledge - Professional Possession of a designated level of professional skill and/or knowledge in specific area(s) and to keep current with developments and trends in area(s) of expertise, usually acquired through post-secondary education. Contributing Journey Advanced Holds and maintains basic security certifications, such as Security + (where applicable) or National Security Agency – Information Assessment Methodologies (NSAIAM) Holds and maintains more complex certifications such as SANS Global Information Assurance Certifications (Or Similar – ex. Carnegie-Mellon CERT); Security Essentials Certification (GSEC); Information System Security Certification Consortium (ISC)2; or Systems Security Certified Practitioner (SSCP) Holds and maintains the most complex and difficult certifications available in IT security such as: Specialized SANS Global Information Assurance Certifications based on field of work Certified Incident Handler Certified Intrusion Analyst Penetration Tester/Web Application Penetration Tester Certified Forensic Analyst/Examiner Information System Security Certification Consortium (ISC)2 Certified Information Systems Security Professional (CISSP) Vendor and Government Certifications Seized Computer Evidence Recovery Specialist (Federal Law Enforcement Training Center) EnCase Certified Examiner Certification (EnCE) AccessData Certified Examiner (ACE) Certified Information System Auditor (CISA) Page 7 of 8 Certified Ethical Hacker (CEH) Certified Information Security Manager (CISM) Page 8 of 8